MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a82c4d1fcff8b6ec93f5fb92a3e9ce015cac13a770af5e50f6621bee1219da8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a82c4d1fcff8b6ec93f5fb92a3e9ce015cac13a770af5e50f6621bee1219da8
SHA3-384 hash: 20662b15dfec58dd97f53000abcc5cc84820e599d4fc546125526b5bc3d00595df606242d7c2403ddc6348b2862dd9c1
SHA1 hash: f24c481a2a0b9df5bee12509e7c83fb698aa98da
MD5 hash: 6127caa081afcb0a405d6b8836a096fd
humanhash: football-leopard-floor-alaska
File name:UPDATED SOA.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:376'319 bytes
First seen:2023-07-13 05:45:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 6144:vYa60Ep33MoNpYEpESJGEREnbq8+kub/vPsPJZ+lSZPgpv2OYbjjQ5Qd75m5XXAP:vYS438EmEJGERQJ+rb/sPf+lShgwZ3qS
Threatray 1'023 similar samples on MalwareBazaar
TLSH T1018422543AA4C077D5134B367B7582B96FA6CC13B9F45A0BD3A0AB8D3A72344CD5E312
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UPDATED SOA.exe
Verdict:
Malicious activity
Analysis date:
2023-07-13 05:48:35 UTC
Tags:
darkcloud
Link:
https://app.any.run/tasks/99e8130d-bd70-480e-99fb-85ab521ae32f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/417226/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.19663.18507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Restart of the analyzed sample
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/97369/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64af8f9aa15fc7eb4fd1c78b/reports/55cf8d81-de72-4031-a74d-bf3adaf29d8f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3a82c4d1fcff8b6ec93f5fb92a3e9ce015cac13a770af5e50f6621bee1219da8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3211b9c1-29c6-431e-9a20-f704c8b57204
Result
Threat name:
DarkCloud
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1272182
Signature
Creates multiple autostart registry keys
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected DarkCloud
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272182 Sample: UPDATED_SOA.exe Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 6 UPDATED_SOA.exe 1 20 2->6         started        10 yienwsbwgpluea.exe 18 2->10         started        12 abacus.exe 2->12         started        14 2 other processes 2->14 process3 file4 31 C:\Users\user\AppData\...\yienwsbwgpluea.exe, PE32 6->31 dropped 33 C:\Users\user\AppData\...\ymfummqivb.dll, PE32 6->33 dropped 65 May check the online IP address of the machine 6->65 67 Creates multiple autostart registry keys 6->67 69 Maps a DLL or memory area into another process 6->69 16 UPDATED_SOA.exe 2 34 6->16         started        35 C:\Users\user\AppData\...\ymfummqivb.dll, PE32 10->35 dropped 71 Multi AV Scanner detection for dropped file 10->71 73 Machine Learning detection for dropped file 10->73 75 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->75 21 yienwsbwgpluea.exe 32 10->21         started        37 C:\Users\user\AppData\...\ymfummqivb.dll, PE32 12->37 dropped 77 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 12->77 79 Writes or reads registry keys via WMI 12->79 23 abacus.exe 12->23         started        39 C:\Users\user\AppData\...\ymfummqivb.dll, PE32 14->39 dropped 41 C:\Users\user\AppData\...\ymfummqivb.dll, PE32 14->41 dropped 25 abacus.exe 14->25         started        27 yienwsbwgpluea.exe 28 14->27         started        signatures5 process6 dnsIp7 43 showip.net 16->43 45 mail.sachingandhiarchitects.com 176.74.27.65, 465, 49706, 49709 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU United Kingdom 16->45 47 showip.net 162.55.60.2, 49705, 49707, 49708 ACPCA United States 16->47 29 C:\Users\user\AppData\Roaming\...\abacus.exe, PE32 16->29 dropped 59 Creates multiple autostart registry keys 16->59 49 192.168.2.1 unknown unknown 21->49 61 Tries to harvest and steal browser information (history, passwords, etc) 25->61 file8 63 May check the online IP address of the machine 43->63 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a82c4d1fcff8b6ec93f5fb92a3e9ce015cac13a770af5e50f6621bee1219da8/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 23:40:45 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 37 (62.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkbmjup476fw5sj7l64supu44ak4vqj2o4fplzipmyq35yjbtwua._file
Verdict:
malicious
Similar samples:
074f4cf5b5fa0260e1fc48c591ee900246aa3cc382e3019c55cde7aea428b508
DarkCloud
19c456f77ef7a2c3d34f397ab4d435092281b157a76ab5e5002370a283e40e65
DarkCloud
2b4b15b5d5d397385ff0c94694b64f604a284fabcf60b227356ece67a5b64ee7
DarkCloud
4f46b17d1db8bdb30b33dfa8ed5335149bb4f920780e349b6b02155e337c8b57
DarkCloud
53bb0f293733cadbf6b5704cd0359b61acaa6367eb49268905714492d35ddf81
DarkCloud
5a65fc8087d39879abd9c17bbb3581a3d8e57595cc2fff526743aa95e660a59d
DarkCloud
69158a09d4c8167f9e137da4fca102ffdeb9f5478d46446a34dd3bbe1ccfa1f6
DarkCloud
8e8dd0e9d0adac40a526531b51e77cd939d0d15f7d93fc6394d58d503b8ef8de
DarkCloud
c76519bac4cff0206fbdd13fd4f016b7d7fe3607fd0c4b25dde7155765a9b2ae
DarkCloud
+ 1'013 additional samples on MalwareBazaar
Result
Malware family:
darkcloud
Create hunting rule
Score:
  10/10
Tags:
family:darkcloud persistence stealer upx
Link:
https://tria.ge/reports/230713-ggamysgd6v/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
UPX packed file
DarkCloud
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/4bf5ac9f-00e7-4cd4-87c5-b1c150f1c8ca/
SH256 hash:
d2971eaaae41e74b354199be3cffffe53b18bb5354d7494a8f92792c39e1648f
MD5 hash:
ac8e960952e2e470422d262c31901462
SHA1 hash:
52fd15dd82978b05c3589bca307750203684fafe
Link:
https://www.unpac.me/results/4bf5ac9f-00e7-4cd4-87c5-b1c150f1c8ca/
SH256 hash:
9478b553b440d04d9c71971a6a4be7cbd8d7814d35fd6d529aca31af6c0613c9
MD5 hash:
bafef6f5d35d757e33706615f0a391b8
SHA1 hash:
5c3a25a1ab5380a2b4e2d96682009aff9c5c77b5
Link:
https://www.unpac.me/results/4bf5ac9f-00e7-4cd4-87c5-b1c150f1c8ca/
SH256 hash:
8b95203f24e5881751f388bea175563e9c6517273e9bd304938fc13b45a2044b
MD5 hash:
3c082e723a482d064c8b6ad82d51b6ba
SHA1 hash:
6c8aa71ac5132f5b157865b67fdb17eaf88ad6c9
Link:
https://www.unpac.me/results/4bf5ac9f-00e7-4cd4-87c5-b1c150f1c8ca/
SH256 hash:
3a82c4d1fcff8b6ec93f5fb92a3e9ce015cac13a770af5e50f6621bee1219da8
MD5 hash:
6127caa081afcb0a405d6b8836a096fd
SHA1 hash:
f24c481a2a0b9df5bee12509e7c83fb698aa98da
Link:
https://www.unpac.me/results/4bf5ac9f-00e7-4cd4-87c5-b1c150f1c8ca/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

Executable exe 3a82c4d1fcff8b6ec93f5fb92a3e9ce015cac13a770af5e50f6621bee1219da8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/417226/

Comments